Script bảo vệ toàn diện Router Mikrotik tránh sâu mọt
Đây là script chặn lại các cuộc tấn công vào router Mikrotik của bạn, bao gồm chặn ddns, chặn scan port, chặn brute password giúp router Mikrotik của bạn trong sạch hơn:
# Tham khảo thêm code bảo mật ở https://rickfreyconsulting.com/basic-mikrotik-firewall-rev-5-0-free-version/ /ip service set telnet disabled=yes /ip service set ftp disabled=yes /ip service set www disabled=yes /ip service set ssh disabled=yes /ip service set api disabled=yes /ip service set api-ssl disabled=yes /ip firewall filter add chain=forward dst-port=11211 protocol=udp action=drop comment="Memcrashed - Amplification Attacks UDP 11211" /ip firewall filter add chain=forward connection-state=new action=jump jump-target=block-ddos comment="Anti DDoS Attacks" add chain=forward connection-state=new src-address-list=ddoser dst-address-list=ddosed action=drop add chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s action=return add chain=block-ddos action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m add chain=block-ddos action=add-src-to-address-list address-list=ddoser address-list-timeout=10m /ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Mark Source ip port scanner to Address list " disabled=no add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan" add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan" add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan" add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan" add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan" add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan" add chain=input src-address-list="port scanners" action=drop comment="Drop port scanners" disabled=no /ip firewall filter add action=drop chain=input comment="drop ftp BRUTE FORCErs" dst-port=21 protocol=tcp src-address-list=ftp_blacklist add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp add action=drop chain=input comment="drop ssh BRUTE FORCErs" dst-port=22-23 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22-23 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22-23 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22-23 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22-23 protocol=tcp add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22-23 protocol=tcp src-address-list=ssh_blacklist
Copy
Home
Website power by
Nguyễn Quang Thắng
- Source code by
Nguyễn Quang Thắng
&
Phạm Đình Đức